- ICO has issued 23andme with £ 2.31 million ($ 3.1 million) fine
- Fine is punishment for failure after 2023 data violation
- A study found ‘serious security failure’
The British Data Protection Guard Dog, Information Commissioner’s Office (ICO) has issued a fine of 2.31 million pounds to 23andme to “fail to implement appropriate security measures to protect the personal information from UK users”
This follows a cyberattack from 2023, where hackers gained access to 23ande personal user data.
The violation affected only 0.1% of the company’s customer base, approx. 14,000 individuals, but thanks to the sensitive nature of the information 23andme, hackers are able to access “a significant number of files containing profile information about other users’ ancestors that such users chose to share.”
Keep sure
The joint investigation conducted between ICO and the Canadian Privacy Commissioner revealed ‘Serious Security Errors’ after the violation and called 23and’s actions ‘inadequate’.
After the hackers completed their credentials, the company waited months until they started a full investigation, and only confirmed the violation after an employee discovered stolen data announced for sale at Reddit.
This violation put those who are affected in danger not only for the typical identity theft and fraud, but also for seriously sophisticated social technical attacks. If your genetic or family history is sold to a criminal, it can be exploited against you.
“This was an in -depth devastating violation that exposed sensitive personal information, family stories and even health conditions for thousands of people in the UK,” John Edwards confirmed the British Information Commissioner.
“As one of those affected, told us: When this information is out there, they cannot be changed or re -released as a password or credit card number.”
An example of this can be a “family member” who reaches out and asking for more information about yourself, or a “medical company” that contacts you about an existing genetic health. If you are affected by this violation, make sure you are extra vigilant and cautious with any unexpected communication you receive.
“23andme could not take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and damage,” Edwards confirmed.
We reached 23andme, and a spokesman gave us a statement confirming that the TTAM Research Institute as part of “as part of his agreement to acquire 23andme filed several binding obligations to improve the protection of customer data and privacy”.
This includes but is not limited to; “To allow individuals to delete their account and opt out of research at any time; notify customers via E at least 2 days before the closure of the acquisition of TTAM’s role, its commitment to privacy choices and instructions on how to delete data or opt out of research; agree not to sell or transfer genetic data under a subsequent bankruptcy or change of control to any unit that does not adopt TTAM, the police are transferring to all laws.”
